Question

我正在尝试将新的订购者组织添加到基于RAFT的现有订购服务中。我正在使用first-network中的fabric-samples作为基础网络。在生成加密材料时，我进行了修改以为另外1个订购者组织生成加密材料。 crypto-config.yaml看起来像：

OrdererOrgs:
  # ---------------------------------------------------------------------------
  # Orderer
  # ---------------------------------------------------------------------------
  - Name: Orderer
    Domain: example.com
    EnableNodeOUs: true
    # ---------------------------------------------------------------------------
    # "Specs" - See PeerOrgs below for complete description
    # ---------------------------------------------------------------------------
    Specs:
      - Hostname: orderer
      - Hostname: orderer2
      - Hostname: orderer3
      - Hostname: orderer4
      - Hostname: orderer5
  - Name: Orderer1
    Domain: example1.com
    EnableNodeOUs: true
    Specs:
      - Hostname: orderer
      - Hostname: orderer2
      - Hostname: orderer3

# ---------------------------------------------------------------------------
# "PeerOrgs" - Definition of organizations managing peer nodes
# ---------------------------------------------------------------------------
PeerOrgs:
  # ---------------------------------------------------------------------------
  # Org1
  # ---------------------------------------------------------------------------
  - Name: Org1
    Domain: org1.example.com
    EnableNodeOUs: true
    Template:
      Count: 2
      # Start: 5
      # Hostname: {{.Prefix}}{{.Index}} # default
    # ---------------------------------------------------------------------------
    # "Users"
    # ---------------------------------------------------------------------------
    # Count: The number of user accounts _in addition_ to Admin
    # ---------------------------------------------------------------------------
    Users:
      Count: 1
  # ---------------------------------------------------------------------------
  # Org2: See "Org1" for full specification
  # ---------------------------------------------------------------------------
  - Name: Org2
    Domain: org2.example.com
    EnableNodeOUs: true
    Template:
      Count: 2
    Users:
      Count: 1

此外，用于创建JSON格式的新Orderer组织的MSP的configtx.yaml给出为：

Organizations:
    - &Orderer1Org
        # DefaultOrg defines the organization which is used in the sampleconfig
        # of the fabric.git development environment
        Name: Orderer1Org

        # ID to load the MSP definition as
        ID: Orderer1MSP

        MSPDir: ../crypto-config/ordererOrganizations/example1.com/msp

        # Policies defines the set of policies at this level of the config tree
        # For organization policies, their canonical path is usually
        #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('Orderer1MSP.member')"
            Writers:
                Type: Signature
                Rule: "OR('Orderer1MSP.member')"
            Admins:
                Type: Signature
                Rule: "OR('Orderer1MSP.admin')"

然后我使用byfn.sh启动网络。现在，我使用cli容器通过以下步骤来修改系统通道配置：

首先，我将组织的JSON添加到 Orderer 组中，如下所示，并提交渠道更新：

jq -s'。[0] * {“ channel_group”：{“ groups”：{“ Orderer”：{“ groups：{” Orderer1Org“：。[1]}}}}}'config.json orderer1org.json> modified_config.json
然后按如下所示将组织的JSON添加到 Consortium 组并提交频道更新：

jq -s'。[0] * {“ channel_group”：{“ groups”：{“ Consortiums :: {” groups“：{” SampleConsortium“：{” groups“：{” Orderer1MSP“：.. [1]}}}}}}}}}'} config1。 json orderer1org.json> modified_config1.json
然后我将组织的 orderer1 TLS证书添加到 Consenters 部分并提交频道更新：

cert =`base64 ../crypto/ordererOrganizations/example1.com/orderers/orderer.example1.com/tls/server.crt | sed'：a; N; $！ba; s / \ n // g'`

catmodified_config1.json | jq'.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters + = [{“ client_tls_cert”：“'$ cert'”，“ host”：“ orderer.example1.com”，“端口”：7050 ，“ server_tls_cert”：“'$ cert'”}]''> modified_config2.json
然后我使用新的Orderer Org的JSON更新系统通道配置的 Application 组：

jq -s'。[0] * {“ channel_group”：{“ groups”：{“ Application”：{“ groups：{” Orderer1Org“：。[1]}}}}}'config.json orderer1org.json> Modifyed_config.json

然后，我在新组织（orderer.example1.com）中启动其中一个订购者，但是容器由于以下错误而失败：

2020-04-09 13:09:05.600 UTC [orderer.common.cluster.replication] fetchLastBlockSeq -> WARN 0e8 Received status:FORBIDDEN  from orderer.example.com:7050: forbidden pulling the cha
nnel
2020-04-09 13:09:05.600 UTC [orderer.common.cluster.replication] func1 -> WARN 0e9 Received error of type 'forbidden pulling the channel' from {orderer.example.com:7050 [certs]}

orderer.example.com日志抛出此错误：

2020-04-09 13:28:59.338 UTC [cauthdsl] deduplicate -> ERRO a3c Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.338 UTC [cauthdsl] deduplicate -> ERRO a3d Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.339 UTC [cauthdsl] deduplicate -> ERRO a3e Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.340 UTC [cauthdsl] deduplicate -> ERRO a3f Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authorit
y) for identity 0
2020-04-09 13:28:59.340 UTC [common.deliver] deliverBlocks -> WARN a40 [channel: byfn-sys-channel] Client authorization revoked for deliver request from 172.25.0.15:36196: implic
it policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
2020-04-09 13:28:59.341 UTC [comm.grpc.server] 1 -> INFO a41 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.25.0.15:36196
 grpc.peer_subject="CN=orderer.example1.com,L=San Francisco,ST=California,C=US" grpc.code=OK grpc.call_duration=4.992078ms

Answer 1

我能够通过添加新的订购者组织来扩展first-network，如下所示：

以first-network模式在byfn.sh回购中通过fabric-samples脚本启动etcdraft。
我生成了上面问题中的crypto-config.yaml中所述的加密材料。
使用configtxgen工具将新订购者组织的MSP打印为JSON格式。
将该JSON文件安装或docker cp到正在运行的cli容器中。
在cli容器内设置与现有订购节点相对应的环境。导入最新的system-channel配置。将其解码为JSON格式。
编辑系统通道配置块的Orderer部分，如下所示添加新订购者组织的MSP：

jq -s '.[0] * {"channel_group":{"groups":{"Orderer":{"groups": {"Orderer1Org":.[1]}}}}}' config.json orderer1org.json > config1.json
编辑系统通道配置块的Consortiums部分，如下所示添加新订购者组织的MSP：

jq -s '.[0] * {"channel_group":{"groups":{"Consortiums":{"groups":{"SampleConsortium":{"groups": {"Orderer1MSP":.[1]}}}}}}}' config1.json orderer1org.json > config2.json
编辑系统通道配置块的Consenters部分，为新订购者组织的orderer.example1.com节点添加TLS凭据，如下所示：

cert=`base64 ../crypto/ordererOrganizations/example1.com/orderers/orderer.example1.com/tls/server.crt | sed ':a;N;$!ba;s/\n//g'`

cat config2.json | jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert'", "host": "orderer.example1.com", "port": 7050, "server_tls_cert": "'$cert'"}] ' > modified_config.json
对代码块进行编码，找到增量，创建频道更新交易，将其编码为protobuf信封，然后提交频道更新交易。
获取最新的系统通道配置块。
使用此最新获取的系统通道配置块作为genesis.block文件，启动一个订购者（之前已添加到同意者列表中的订购者）。
将docker exec放入cli容器中。使用现有订购者节点的环境，获取最新的系统通道配置。
编辑系统通道配置块，以在OrdererAddresses部分中添加新订购者的端点，如下所示：

cat config.json | jq '.channel_group.values.OrdererAddresses.value.addresses += ["orderer.example1.com:7050"] ' > modified_config.json
对块进行编码，找到增量，创建频道更新事务，将其编码为protobuf信封，并获得Orderer1Org管理员签名的块，以使mod_policy资源达到/Channel/OrdererAddresses设置为Admins策略。此隐式元策略希望在该更新级别上签名MAJORITY Admins。因此，由于订购者组织的数量现在为2，因此我们需要组织的两位管理员来签署此系统渠道更新交易。设置与Orderer1Org管理员对应的环境，然后运行以下命令：

peer channel signconfigtx -f ordorg_update_in_envelope.pb
将环境设置回OrdererOrg admin并提交频道更新事务。 peer channel update将代表OrdererOrg管理员自动签署交易。

peer channel update -f ordorg_update_in_envelope.pb -c $CHANNEL_NAME -o orderer.example.com:7050 --tls true --cafile $ORDERER_CA

要更新任何应用程序渠道，只需通过更新应用程序渠道配置块的Application部分以在其中添加新订购者组织的MSP来替换步骤7。

希望这会有所帮助！

Answer 2

我按照上述步骤顺序将新的订购者组织添加到现有网络中，但是频道（即将配置更改为订购者频道）更新抛出错误，如下所示，

    2020-09-29 00:53:49.794 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'e2e-orderer-syschan': error authorizing update: error validating DeltaSet: policy for [Value]  /Channel/OrdererAddresses not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied

我通过使用以下设置调用修改了json块（在下面的json更改步骤中尝试了混合/匹配组合）

jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"'${KL_NEW_ORDERER_NAME}'":.[1]}}}}}' config.json ${KL_NEW_ORDERER_NAME}.json > modified-config.json 
jq -s '.[0] * {"channel_group":{"groups":{"Orderer":{"groups": {"'${KL_NEW_ORDERER_NAME}'":.[1]}}}}}' modified-config.json ${KL_NEW_ORDERER_NAME}.json > modified-config1.json 

jq -s '.[0] * {"channel_group":{"groups":{"Consortiums":{"groups":{"'${KL_CONSORTIUM_NAME}'":{"groups": {"Orderermk01MSP":.[1]}}}}}}}' modified-config1.json  ${KL_NEW_ORDERER_NAME}.json > modified-config2.json 

LENGTH=$(jq '.channel_group.values.OrdererAddresses.value.addresses | length' modified-config2.json)
jq '.channel_group.values.OrdererAddresses.value.addresses['${LENGTH}'] |= "'${KL_NEW_ORDERER_URL}'"' modified-config2.json > modified-config3.json

cert=`base64 /hl-material/mk01-orderer/crypto-config/ordererOrganizations/${KL_DOMAIN}/orderers/orderer.mk01.${KL_DOMAIN}/tls/server.crt | sed ':a;N;$!ba;s/\n//g'`
cat modified-config3.json | jq '.channel_group.groups.Orderer.values.ConsensusType.value.metadata.consenters += [{"client_tls_cert": "'$cert'", "host": "raft0.mk01.'${KL_DOMAIN}'", "port": 32050, "server_tls_cert": "'$cert'"}] ' > modified-config4.json

我的网络设置基于K8s集群下具有5个筏节点的HLF 2.2 LTS。

我在2.2 LTS上成功设置了多渠道，多个对等组织（知道如何以动态方式获得此功能而不会中断任何网络）。但是现在正在寻找将订购者组织动态扩展到多个集群/组织的方法。上述步骤是否需要任何提示或更新？再次感谢玛丽亚

如何将新的订购者组织添加到现有的Hyperledger Fabric网络

2 个答案: